Try it yourself with our free Sql Formatter tool — runs entirely in your browser, no signup needed.

How to Format SQL queries in Python

How to Format SQL Queries in Python

Properly formatting SQL queries in Python is crucial for maintaining readability, preventing SQL injection attacks, and ensuring efficient database interactions. In this guide, we will explore how to format SQL queries in Python using best practices and practical examples.

Quick Example

Here is a minimal example that solves the most common use case:

import sqlite3

# Define the query with placeholders
query = """
    SELECT *
    FROM users
    WHERE name = ?
    AND age = ?
"""

# Define the parameters
params = ("John", 30)

# Connect to the database
conn = sqlite3.connect("example.db")
cursor = conn.cursor()

# Execute the query with parameters
cursor.execute(query, params)

# Fetch the results
results = cursor.fetchall()

# Print the results
for row in results:
    print(row)

# Close the connection
conn.close()

This example uses the sqlite3 module to connect to a SQLite database, define a query with placeholders, and execute the query with parameters.

Step-by-Step Breakdown

Let's walk through the code line by line:

  1. import sqlite3: We import the sqlite3 module, which is Python's built-in SQLite database module.
  2. query = """...""": We define the SQL query as a multiline string using triple quotes. This allows us to write the query with proper indentation and formatting.
  3. params = ("John", 30): We define the parameters for the query as a tuple. In this case, we have two parameters: name and age.
  4. conn = sqlite3.connect("example.db"): We connect to the SQLite database file example.db.
  5. cursor = conn.cursor(): We create a cursor object to execute queries on the database.
  6. cursor.execute(query, params): We execute the query with the parameters. The ? placeholders in the query are replaced with the actual values from the params tuple.
  7. results = cursor.fetchall(): We fetch all the results from the query.
  8. for row in results: print(row): We print each row of the results.
  9. conn.close(): We close the database connection.

Handling Edge Cases

Here are some common edge cases to consider:

Empty/Null Input

If the input parameters are empty or null, the query will raise an error. To handle this, we can add a simple check before executing the query:

if not params:
    print("Error: Empty input")
else:
    cursor.execute(query, params)

Invalid Input

If the input parameters are not valid (e.g., non-string values for name), the query will raise an error. To handle this, we can add input validation before executing the query:

if not isinstance(params[0], str) or not isinstance(params[1], int):
    print("Error: Invalid input")
else:
    cursor.execute(query, params)

Large Input

If the input parameters are very large (e.g., a large list of values), the query may timeout or raise an error. To handle this, we can use a more efficient query or optimize the database schema.

# Use a more efficient query
query = """
    SELECT *
    FROM users
    WHERE name IN (?)
    AND age IN (?)
"""

params = (["John", "Jane", "Bob"], [30, 31, 32])

# Use a more efficient database schema
# (e.g., use an index on the `name` column)

Unicode/Special Characters

If the input parameters contain Unicode or special characters, the query may raise an error. To handle this, we can use Unicode-aware string formatting:

query = """
    SELECT *
    FROM users
    WHERE name = %s
    AND age = %s
"""

params = ("Johné", 30)

# Use Unicode-aware string formatting
cursor.execute(query, params)

Common Mistakes

Here are three common mistakes developers make when formatting SQL queries in Python:

Mistake 1: Using string concatenation

query = "SELECT * FROM users WHERE name = '" + name + "' AND age = " + str(age)

Corrected code:

query = """
    SELECT *
    FROM users
    WHERE name = ?
    AND age = ?
"""
params = (name, age)

Mistake 2: Not using parameterized queries

query = "SELECT * FROM users WHERE name = '" + name + "' AND age = " + str(age)

Corrected code:

query = """
    SELECT *
    FROM users
    WHERE name = ?
    AND age = ?
"""
params = (name, age)

Mistake 3: Not handling edge cases

query = """
    SELECT *
    FROM users
    WHERE name = ?
    AND age = ?
"""
params = (name, age)
cursor.execute(query, params)

Corrected code:

if not params:
    print("Error: Empty input")
else:
    cursor.execute(query, params)

Performance Tips

Here are three practical performance tips for formatting SQL queries in Python:

  1. Use parameterized queries: Parameterized queries are more efficient than string concatenation and reduce the risk of SQL injection attacks.
  2. Use efficient database schema: Optimize your database schema to reduce the number of queries and improve query performance.
  3. Use caching: Use caching mechanisms (e.g., Redis, Memcached) to store frequently accessed data and reduce the load on your database.

FAQ

Q: What is the difference between ? and %s placeholders?

A: ? placeholders are used for SQLite databases, while %s placeholders are used for other databases (e.g., MySQL, PostgreSQL).

Q: How do I handle large input parameters?

A: Use a more efficient query or optimize the database schema.

Q: What is the best way to handle Unicode characters in SQL queries?

A: Use Unicode-aware string formatting.

Q: Can I use string concatenation for SQL queries?

A: No, string concatenation is not recommended due to the risk of SQL injection attacks.

Q: How do I optimize my database schema for better performance?

A: Use indexes, normalize your data, and avoid unnecessary queries.

Related Resources

Sql Formatter

Use the interactive sql formatter tool

More Sql Formatter Examples

See all languages and use cases

All Code Examples

Browse examples for every language and use case

All Developer Tools

50+ free online developer tools

AI agent tools available. The CodeTidy MCP Server gives Claude, Cursor, and other AI agents access to 60+ developer tools. One command: npx @codetidy/mcp